IETF Logo Mail Archive

Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-mode-6-cmds-09: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 27 August 2020 16:59 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C78AA3A074B; Thu, 27 Aug 2020 09:59:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UH_GdF0fzF_J; Thu, 27 Aug 2020 09:59:43 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A19B3A0BD2; Thu, 27 Aug 2020 09:59:42 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 07RGxb0x030976 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Aug 2020 12:59:39 -0400
Date: Thu, 27 Aug 2020 09:59:37 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Hal Murray <hmurray@megapathdsl.net>
Cc: The IESG <iesg@ietf.org>, ntp-chairs@ietf.org, ntp@ietf.org, draft-ietf-ntp-mode-6-cmds@ietf.org, odonoghue@isoc.org
Message-ID: <20200827165937.GQ16914@kduck.mit.edu>
References: <noreply@ietf.org> <159847733996.28106.1103367714274362245@ietfa.amsl.com> <20200827090034.87B9840605C@ip-64-139-1-69.sjc.megapath.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200827090034.87B9840605C@ip-64-139-1-69.sjc.megapath.net>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/2x-xUliPYg1pZyG74emFf-SMHpI>
Subject: Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-mode-6-cmds-09: (with DISCUSS and COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2020 16:59:45 -0000

On Thu, Aug 27, 2020 at 02:00:34AM -0700, Hal Murray wrote:
> 
> Benjamin Kaduk  said:
> > The considerations of BCP 201 with respect to algorithm agility appear to be
> > quite relevant, with the 96-bit authenticator format locking us into at best
> > 64 bits of MAC, which is fairly weak for Internet use, and 32 bits of key
> > identifier.  This presents its own problems, as 32 bits is too small for a
> > value that is unilaterally assigned by many/all participants and expected to
> > be globally unique, but is rather large for a key identifier space that is
> > centrally managed for use within a single administrative domain.  (The
> > currently specified DES-CBC checksum from RFC 1305 is, of course, considered
> > insecure at this point, as with all things single-DES.) 
> 
> We are down in the weeds, but ...
> 
> The 32 bit Key-ID is not globally unique.  With existing code, it's per 
> server.  There is no reason that it couldn't be per client-server.  (That is 
> unlikely to work if the client is using DHCP.)
> 
> An additional complication is that Autokey (RFC 5906) uses the top 16 bits so that leaves only 16 bits for manual assignment.

Thanks for the extra background on the Key-ID.

> ----------
> 
> Thanks for pointing out the 64 bit MAC.  I've been working in this area for a long time and don't remember seeing any 8 byte MACs.  It would be an interesting archeology project to figure out when support for MD5 (16 bytes) and SHA-1 (20 bytes) was added to the code.
> 
> RFC 8573 added AES-128 CMACs.
> 
> RFC 7822 describes the results of a lot of discussion about how to make old MACs coexist with extension fields.   My memory is that the discussion focused on 16 and 20 byte MACs as used by MD5 and SHA-1.  I think the wording in the RFC supports 20 or shorter.  I don't think any code supports 8 byte MACs.

I would be quite happy if the spec here does not match existing
deployments!  But, we should make sure we are documenting what is actually
used, in that case.

> In practice, in addition to agreeing on the Key and Key-ID, you also have to agree on the algorithm.  There is nothing in the packet that tells you which algorithm to use.  A while ago, you could make a good guess between MD5 and SHA-1 based on the length.  But now, AES-128 is also 16 bytes.  

General crypto best practice is to only use a given key for a single usage
and with a single algorithm, so my expectation is that the algorithm would
be assigned/negotiated at the same time that the key and key-ID are.

-Ben

v2.23.0 | Report a Bug | By Email